EP4080846A1 - Connexion de communication protégée de manière cryptographique entre les composants physiques - Google Patents
Connexion de communication protégée de manière cryptographique entre les composants physiques Download PDFInfo
- Publication number
- EP4080846A1 EP4080846A1 EP21169167.0A EP21169167A EP4080846A1 EP 4080846 A1 EP4080846 A1 EP 4080846A1 EP 21169167 A EP21169167 A EP 21169167A EP 4080846 A1 EP4080846 A1 EP 4080846A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- physical component
- digital twin
- identification information
- proof
- authorization
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Definitions
- the present invention relates to a method for setting up a cryptographically protected communication link between a first physical component and a second physical component.
- the invention also relates to an associated physical component, a computer program product and a computer-readable medium.
- a digital twin also referred to as a digital twin, is a virtual, digital image of a real, i.e. physical object, in particular a component, a device, a machine, a plant.
- a digital twin can also be referred to as an administration shell or asset administration shell.
- the digital twin is located on an IT system and can be reached via a communication network at an address, in particular an IP address, DNS name or a URL.
- Data from the real object is mapped into its digital twin via a communication interface, either through a direct communication interface or indirectly via other systems or components capable of communicating with the real object and its digital twin.
- a communication interface either through a direct communication interface or indirectly via other systems or components capable of communicating with the real object and its digital twin.
- real objects will interact dynamically and flexibly with each other in the future. There is a need for the real objects to communicate with other objects or components with which they previously had no communication relationship.
- the real objects and/or the further objects can in particular be simple sensors or actuators with very limited functions and resources, as well as more complex systems.
- Secure communication protocols in the automation environment in particular OPC UA, TLS, IPsec/IKEv2, MACsec IEEE 802.1ae, provisioning of credentials as part of an engineering or commissioning phase, use of key servers for key distribution, in particular Global Discovery Service for OPC UA, GDOI key servers and the use of IAM services, in particular OpenID Connect, OAuth2, Kerberos, are known. With the help of these services, it is also possible to distribute, in particular an application-specific key or token, which can subsequently be used to secure a further application protocol.
- the object of the invention is to provide a solution that allows components in the Industry 4.0 environment to communicate securely with one another, even if no communication relationship and security relationship previously existed between these components.
- the invention results from the features of the independent claims. Advantageous developments and refinements are the subject matter of the dependent claims. Configurations, possible applications and advantages of the invention result from the following description and the drawings.
- the invention relates to a method for setting up a cryptographically protected communication connection between a first physical component and a second physical component, the first physical component being connected to a first digital twin and the second physical component being connected to a second digital twin.
- One aspect of the invention is to provide a method with which the trust relationship of a communication relationship between two physical components, the first physical component and the second physical component, is established via their digital twins and the physical components receive the necessary data to establish an adequately secured connection, the first credential, and the second credential, from their digital twin.
- the invention thus provides a solution for dynamically building up a secure communication relationship without there being a previously established trust relationship between the physical components.
- the components identify themselves with identification information, which can also be designated as an identifier, in particular a MAC address, UUID, device type and/or serial number.
- the physical components pass the identification information of the communication partner to their own digital twin further and instruct them to establish a relationship of trust that can be used between the physical components.
- the already established and secured connection between the physical component and its digital twin is used as the communication channel.
- a connection can then be established between the first digital twin and the second digital twin if there is not already a connection between the first digital twin and the second digital twin.
- the request to set up the connection between the first digital twin and the second digital twin can be formed by a request, in particular a request to establish a trust relationship, which leads to the proof of authorization.
- the digital twin decides in which form the relationship of trust is to be established. In particular, it can be in the form of establishing the connection.
- the two digital twins are designed to communicate via a broker using a publish-subscribe protocol, so that there does not have to be a direct connection between the two digital twins.
- the request to establish a connection between the first digital twin and the second digital twin and the request to determine a first proof of authorization or a second proof of authorization Depending on security guidelines, the first piece of identification information and the second piece of identification information, the digital twins establish a relationship of trust on behalf of the physical components. For this purpose, the digital twins mutually authenticate themselves as representatives of their physical components.
- the first proof of authorization is created by the first digital twin and the second proof of authorization by the second digital twin.
- first proofs of authorization and second proofs of authorization which can also be designated as credentials, are generated.
- Proof of authorization can in particular be embodied as symmetric keys, asymmetric keys, raw keys or in the form of certificates, one-time passwords or tokens.
- Security guidelines within the meaning of the invention are in particular predeterminable rules or criteria of a configurable policy which can be evaluated to check whether the generation of a first proof of authorization or a second proof of authorization is permissible or which are used in the process.
- the determination of the first proof of authorization or the second proof of authorization can be designed as a generation by the first or second digital twin. Additionally or alternatively, an external security server can take over the generation and forward the first proof of authorization or the second proof of authorization to the digital twins.
- Requesting the determination of the first proof of authorization or the second proof of authorization can be designed such that the first digital twin requests the first proof of authorization from the second digital twin and the second digital twin requests the second proof of authorization from the first digital twin.
- the first digital twin and/or the second digital twin can receive the respective proof of authorization from another unit, in particular a server.
- the credentials are transmitted from the digital twins to the respective physical component .
- a secure cryptographically protected connection in particular a communication relationship, is used between the two physical components based on the credentials negotiated by the digital twins.
- the invention offers the advantage that physical components can establish a secure communication relationship dynamically and ad hoc without the need to provision the necessary credentials for the components in advance, or for the participants to be expected to be known in advance .
- the components do not have to be part of a common public key infrastructure, which significantly reduces the administrative effort. Showing the requirements of necessary Resources are reduced so that components with fewer resources are also able to establish a secure communication relationship. In particular, complex protocol processes for key management and ongoing maintenance of the trust relationship (e.g. updating root certificates, OCSP queries) can be relocated from the physical component to the digital twin.
- the invention also relates to a method for setting up a cryptographically protected communication connection between a first physical component and a second physical component, the first physical component being connected to a first digital twin and the second physical component being connected to a second digital twin View of the first digital twin.
- the cryptographically protected communication connection between the first physical component and the second physical component is set up with the inclusion of a second proof of authorization, the second proof of authorization being created by the second digital twin.
- a negotiation of the first credential and/or the second credential can thus be realized directly between the digital twins or via another trusted entity, specifically a management server.
- connection between the first digital twin and the second digital twin is designed as a transport layer security connection.
- Transport Layer Security TLS, TLSv1.2-RFC 5246, TLSv1.3-RFC 8446
- TLS Transport Layer Security
- RRC 5705 a symmetric key can be exported based on the master secrets negotiated in the TLS handshake, which is then made available to the physical components.
- a token can be provided via the integration of IAM (Identity Access Management) services such as OpenID Connect, which is necessary for establishing the relationship of trust between the digital twins can be used.
- IAM Identity Access Management
- the security guidelines in particular a security policy, can be determined dynamically and, depending on the policy, among other things, the protection goals, the strength of the cryptographic methods and the strength of the proof of authorization or credentials to be used can be dynamically determined or negotiated.
- the security guidelines or the security policy can be represented in particular by a security level.
- a security level With a low security level, simple, lightweight cryptographic methods and short keys can be used in particular, with a high security level correspondingly strong methods and long keys must be used.
- the security guidelines or the security policy can be specified by the physical components or mutually agreed and communicated to the digital twin.
- the security policy is determined by the digital twins, with the security policy of the physical component being transferred together with the credentials in this form.
- the connection, in particular the communication relationship, is then secured depending on the security policy and the credentials provided.
- a connection is established between the first digital twin and the second digital twin as a function of the first environmental parameter and/or the second environmental parameter.
- the type of connection and a security level can depend on the first environmental parameter and/or the second environmental parameter.
- the request for the generation of the first proof of authorization and/or the second proof of authorization is carried out as a function of the first environmental parameter and/or the second environmental parameter.
- the first proof of authorization and/or the second proof of authorization is only generated if the first environmental parameter corresponds to the second environmental parameter, is identical, or the deviation of the two environmental parameters does not exceed a threshold value.
- environmental conditions in the form of environmental parameters of the physical components are therefore included in the establishment of the relationship of trust.
- the digital twins only establish a connection, in particular a relationship of trust, if the environmental conditions of the physical components are similar or identical.
- the digital twins can only establish a connection, in particular a relationship of trust, if the environmental conditions of the physical components are plausible.
- the plausibility can be evaluated in particular by comparison with a simulation model or with simulation data.
- a chronological progression of environmental conditions present in the past can be evaluated.
- the invention provides a solution for dynamically building up a secure communication relationship that is appropriate to an environment, in particular an automation environment, without a previously established trust relationship existing between the components.
- the environmental parameters can be detected by sensors and/or autodiscovery mechanisms, in particular existing beacon signals, in particular via Bluetooth.
- the method has the further step: the first physical component receiving firewall policies from the first digital twin and/or the second physical component receiving firewall policies from the second digital twin, the first digital twin providing the firewall policies for the first physical component, and where the second digital twin that provides firewall policies for the second physical component.
- firewall guidelines in particular a firewall filter policy
- the permissible protocols in particular TCP, UDP, HTTP, MQTT, OPC UA, port numbers and permissible data content, in particular monitored by a deep packet inspection, can be limited.
- the invention also includes a first physical component, the first physical component being designed to set up a cryptographically protected communication link to a second physical component, the first physical component being connected to a first digital twin and the second physical component being connected to a second digital twin twin is connected.
- the invention also includes a computer program product, comprising a computer program, wherein the computer program can be loaded into a memory device of a computing unit, with the computer program carrying out the steps of an inventive Procedure are performed when the computer program is running on the processing unit.
- the invention also includes a computer-readable medium on which a computer program is stored, the computer program being loadable into a memory device of a computing unit, the steps of a method according to the invention being carried out with the computer program when the computer program is executed on the computing unit.
- FIG. 1 shows a flowchart of the method according to the invention for setting up a cryptographically protected communication link between a first physical component 1a and a second physical component 2a, the first physical component 1a being connected to a first digital twin 1b and the second physical component 2a being connected to a second digital twin Twin 2b is connected.
- FIG. 2 shows a schematic representation of the first physical components 1a, the second physical component 2a, the first digital twin 1b and the second digital twin 2b.
- the in 1 explained method steps S1-S7 in relation to the physical components 1a, 2a and their digital twins 2a, 2b.
- 3 shows in addition to the elements of 2 a unit for acquiring environmental parameters 3.
- a connection is established between the first digital twin 1b and the second digital twin 2b as a function of the first environmental parameter 3 and/or the second environmental parameter 3 .
- the type of connection and a security level can depend on the first environmental parameter 3 and/or the second environmental parameter 3 .
- the first environmental parameter and the second environmental parameter can be acquired by the environmental parameter acquisition unit 3 .
- the request S5 for the generation of the first proof of authorization and/or the second proof of authorization is carried out as a function of the first environmental parameter 3 and/or the second environmental parameter 3 .
- the generation S5 of the first proof of authorization and/or the second proof of authorization is only carried out if the first environmental parameter 3 corresponds to the second environmental parameter 3, is identical or the deviation between the two environmental parameters 3 does not exceed a threshold value.
- environmental conditions in the form of environmental parameters 3 of the physical components 1a, 1b are therefore included in the establishment of the trust relationship.
- the digital twins 1b, 2b only establish a connection, in particular a relationship of trust, if the environmental conditions of the physical components 1a, 1b are similar or the same.
- the invention provides a solution for dynamically building up a secure communication relationship that is appropriate to an environment, in particular an automation environment, without a previously established trust relationship existing between the components.
- the unit for detecting environmental parameters 3 can be embodied by a sensor and/or autodiscovery mechanism, which detects in particular beacon signals, in particular via Bluetooth.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP21169167.0A EP4080846A1 (fr) | 2021-04-19 | 2021-04-19 | Connexion de communication protégée de manière cryptographique entre les composants physiques |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP21169167.0A EP4080846A1 (fr) | 2021-04-19 | 2021-04-19 | Connexion de communication protégée de manière cryptographique entre les composants physiques |
Publications (1)
Publication Number | Publication Date |
---|---|
EP4080846A1 true EP4080846A1 (fr) | 2022-10-26 |
Family
ID=75581472
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP21169167.0A Withdrawn EP4080846A1 (fr) | 2021-04-19 | 2021-04-19 | Connexion de communication protégée de manière cryptographique entre les composants physiques |
Country Status (1)
Country | Link |
---|---|
EP (1) | EP4080846A1 (fr) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190268332A1 (en) * | 2016-08-30 | 2019-08-29 | Visa International Service Association | Biometric identification and verification among iot devices and applications |
WO2020221449A1 (fr) * | 2019-04-30 | 2020-11-05 | Telefonaktiebolaget Lm Ericsson (Publ) | Fourniture de ressources pour entités mobiles |
-
2021
- 2021-04-19 EP EP21169167.0A patent/EP4080846A1/fr not_active Withdrawn
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190268332A1 (en) * | 2016-08-30 | 2019-08-29 | Visa International Service Association | Biometric identification and verification among iot devices and applications |
WO2020221449A1 (fr) * | 2019-04-30 | 2020-11-05 | Telefonaktiebolaget Lm Ericsson (Publ) | Fourniture de ressources pour entités mobiles |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE102014113582B4 (de) | Vorrichtung, Verfahren und System für die kontextbewusste Sicherheitssteuerung in einer Cloud-Umgebung | |
EP3518492B1 (fr) | Procédé et système de divulgation d'au moins une clé cryptographique | |
EP1320962B1 (fr) | Procede de commande d'acces | |
EP3681102B1 (fr) | Procédé de validation d'un certificat numérique d'utilisateur | |
WO2009106214A2 (fr) | Système client/serveur de communication selon le protocole standard opc ua comportant des mécanismes d'authentification single sign-on et procédé d'exécution de single sign-on dans ce système | |
DE102022208744A1 (de) | Sicherer fernzugriff auf geräte in sich überlappenden subnetzen | |
DE10296987T5 (de) | Dynamische Konfiguration von Ipsec Tunneln | |
EP3661113A1 (fr) | Procédé et dispositif de transfert des données dans un système de publication-abonnement | |
EP3058701B1 (fr) | Procédé, dispositif de gestion et appareil pour l'authentification par certificat de partenaires de communication dans un appareil | |
WO2020229537A1 (fr) | Procédé d'exécution sélective d'un conteneur et agencement de réseau | |
EP3759958B1 (fr) | Méthode, appareil et produit-programme informatique pour la surveillance d'une liaison chiffrée dans un réseau | |
EP3935808B1 (fr) | Fourniture d'un certificat numérique protégée de manière cryptographique | |
DE102017212474A1 (de) | Verfahren und Kommunikationssystem zur Überprüfung von Verbindungsparametern einer kryptographisch geschützten Kommunikationsverbindung während des Verbindungsaufbaus | |
EP4080846A1 (fr) | Connexion de communication protégée de manière cryptographique entre les composants physiques | |
EP1496664A2 (fr) | Système, méthode et module de sécurité pour sécuriser l'accèss d'un utilisateur à au moins un composant d'automatisation d'un système d'automatisation | |
DE102015223078A1 (de) | Vorrichtung und Verfahren zum Anpassen von Berechtigungsinformationen eines Endgeräts | |
DE60219915T2 (de) | Verfahren zur Sicherung von Kommunikationen in einem Computersystem | |
EP3937451B1 (fr) | Procédé de génération d'une connexion cryptée | |
EP4179758B1 (fr) | Authentification d'un partenaire de communication sur un appareil | |
EP3881486B1 (fr) | Procédé de fourniture d'un élément de preuve du lieu d'origine pour un couple de clé numérique | |
EP3442193B1 (fr) | Procédé d'établissement d'un canal de communication entre un premier et un second dispositif serveur | |
EP3809661A1 (fr) | Procédé d'authentification d'un dispositif client lors d'un accès à un serveur d'application | |
WO2017190857A1 (fr) | Procédé et dispositif de sécurisation d'accès à des appareils | |
EP1496665B1 (fr) | Procédé de configuration de sécurité dans un réseau d'automatisation | |
EP4152689A1 (fr) | Procédé, produit-programme informatique et dispositif de création d'un certificat de fourniture sécurisée des prestations |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20230427 |